EU authorities warn of rising cross-border ICT risks in finance

**EU Authorities Warn of Rising Cross-Border ICT Risks in Finance**

In a significant development for the European financial sector, the European Supervisory Authorities (ESAs) have released their inaugural annual overview of major Information and Communication Technology (ICT)-related incidents. This report highlights a growing trend of cross-border disruptions and raises concerns about the potential cybersecurity risks posed by increasingly sophisticated artificial intelligence (AI) tools.

The report, a collaborative effort by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), was published under the framework established by the Digital Operational Resilience Act (DORA). This legislation mandates financial entities to adhere to standardized rules for managing, classifying, and reporting significant ICT-related incidents to ensure consistent communication with relevant authorities.

The findings indicate that ICT risks are becoming more interconnected and borderless, reflecting the financial sector's increasing dependence on shared digital infrastructures and third-party service providers. Approximately one-third of the 3,383 major ICT-related incidents reported across the EU were found to have cross-border implications, equating to about 0.18 major incidents per entity subject to DORA. Despite the cross-border nature of these incidents, the report noted that the direct impact on clients and financial transactions was generally limited.

The analysis revealed that system failures and external events were the primary causes of these incidents, underscoring the necessity for robust third-party risk management and effective oversight of outsourced services. Close coordination with external service providers during incident response and recovery was also emphasized as a critical factor in mitigating risks.

Interestingly, only 10% of the reported incidents were attributed to cybersecurity threats. However, the ESAs cautioned that financial institutions must maintain the highest cybersecurity standards, especially given the risks associated with the growing utilization of advanced AI-enabled systems. The report suggests that the emergence of these sophisticated tools could exacerbate existing vulnerabilities within the financial infrastructure.

The authorities underscored the systemic nature of ICT risks in the financial sector, calling for enhanced resilience, supervision, and coordination to improve the industry's capacity to prevent, absorb, and recover from future disruptions. The report serves as a reminder of the importance of maintaining operational resilience in an increasingly digital landscape.

Under Article 22(2) of DORA, the ESAs are mandated to publish annual reports detailing the number of major ICT-related incidents, their nature, operational and client impacts, remedial measures taken, and associated costs. DORA defines an ICT-related incident as any event or series of related unplanned events that compromise the security of network and information systems, affecting the availability, authenticity, integrity, or confidentiality of data or services provided by a financial entity. A major ICT-related incident is characterized as one that significantly adversely impacts the network and information systems supporting critical functions of a financial entity.

As the financial sector continues to evolve and integrate advanced technologies, the insights from this report will be crucial for stakeholders aiming to enhance their cybersecurity frameworks and operational resilience strategies. The ESAs' findings serve as a call to action for financial institutions to reassess their risk management practices and ensure they are adequately prepared to navigate the complexities of a digital-first environment.